Time
2 hours 23 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:01
Hello and welcome to this I t Security policy training from Sai Berry. We're continuing with module to the unique user policy.
00:09
My name is Troy Lemaire.
00:12
The learning objective for this policy is unique. User log in i D
00:16
auditing and network access form.
00:22
We're gonna use another template from health i t dot gov
00:26
Again, your major,
00:27
um categories. Aaron, here, your review and your purpose. Purpose is to ensure accountability of all users that access
00:34
networks and network devices.
00:37
Scope is the policy applies to all company employees and affiliates
00:41
and getting into the meat of the policy
00:43
individual user shove, have unique long and ideas and passwords and access control system shall identify each user and prevent unauthorized access.
00:51
You are unauthorized users from entering or using information. Resource is
00:56
basically every user should always have their own. I d.
01:00
You don't want to have a situation where you have users that are sharing i. D s
01:03
is What can happen is
01:06
when a shared idea eyes used by two different users. If something happens in the system that you need to be able to track or some type of legal action happens or a regulatory action happens
01:17
then at that point, you have a hard time distinguishing who actually took the action or did the action in the system because it's shared between users.
01:26
But you don't want him to be able to share. You want to be able to give information about their use ideas to another user. And you wanna put that in the policy to make sure that reinforce
01:34
security requirements are used. Identification include each user shall be assigned a unique identify. Her
01:42
usually shall be responsible for the use and misuse of their individual log on I. D. S.
01:47
All your long and ideas are audited at least twice yearly. So this is something that's highlight because you need to specify how often you wanna audit these Log in I d. S.
01:57
Then all inactive log in I. D. S are revoked. You don't wanna have log in i. D. S that for prior employees that are no longer in the system because that
02:05
tends to allow somebody who's not supposed to be using that I d to be able to get in under that name
02:12
practice Human resource department notifies the Security Office are appropriate personnel Upon the departure of all employees and contractors at which time, long and ideas are revoked. So you want to change this for whatever your processes, whatever your HR department does to notify the I T department that employees no longer there. You want to designate that in this description
02:31
and then explain how it's going to be revoked.
02:35
Log in ideas locked revoked that after a maximum of three unsuccessful log in attempts, which then require the password to be reset by the appropriate administrator,
02:44
again highlighted for three unsuccessful Loggains
02:46
because in some cases what will happen. What will happen is is three times is what you might have, but you might have it only two times
02:54
on certain systems are five times on other systems, depending on the security of the system.
03:00
And then they talk about the past where it has to be reset. In some situations you don't need three. Set a password. What will happen is that account needs to be enabled again after it is disable are locked
03:09
by the system. After three unsuccessful attempts.
03:14
Uses who desire to obtain access to systems must have a completed and signed network access. More
03:20
war must be signed by the supervisor department head of each user requesting access.
03:23
So basically, you wanna have a procedure in place where there is documentation
03:29
that this user I d for this employee is being requested and you want that request to come from a higher authority than that user. So a supervisor or a manager should have some type of sign off that says Yes, I am granting an approving the ability for this user to obtain
03:46
access to the systems. And that way you have a tracking mechanism to make sure that
03:51
it is done in a way that is secure
03:54
and it's always policy compliance.
03:58
Verification from the compliance department are the i T department is gonna be used in various methods. Exceptions to the policy must be approved in advance.
04:08
And if you violate, the policy could be subject to disciplinary action.
04:15
So in today's brief lecture, we discussed the unique user policy unique user log in i D. The auditing and the network Access for
04:26
a recap question on unique user policy.
04:28
User shall be responsible for the blank and blank of their individual log on I D.
04:34
And that would be for the use and misuse of their individual log in i d.
04:43
Another recap question. Who should sign a network access form?
04:48
And this would be a supervisor or manager
04:51
basically anybody in authority over that position to give the approval needed
04:57
for that access that is being requested.
05:02
And our next lecture will look at
05:04
password management. Still, part of general policies,
05:10
if you have any questions in the clarification, is always cyber message. My user name is at Troy Lemaire
05:15
and thank you for attending this cyber very training.

Up Next

Introduction to IT Security Policy

Introduction to IT Security Policy, available from Cybrary, can equip you with the knowledge and expertise to be able to create and implement IT Security Policies in your organization.

Instructed By

Instructor Profile Image
Troy LeMaire
IT Security Officer at Acadian Ambulance
Instructor